CVE-2018-11847

Name of the Vulnerable Software and Affected Versions Qualcomm Snapdragon versions IPQ8074, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 650/52, SD 820, SD 820A, SD 835, SD 8CX, SDM439, and Snapdragon High Med 2016

Description A malicious Trusted Application (TA) can tag QSEE kernel memory and map it to EL0, allowing corruption of physical memory. This can also be used to corrupt the QSEE kernel, potentially compromising the entire Trusted Execution Environment (TEE) in various Snapdragon products, including Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, and Snapdragon Wired Infrastructure and Networking.

Recommendations For all affected versions, consider implementing memory protection mechanisms to prevent malicious TAs from corrupting the QSEE kernel and physical memory. As a temporary workaround, restrict access to sensitive memory regions until a patch is available. Additionally, ensure that all TAs are thoroughly vetted and validated to prevent malicious activity. At the moment, there is no information about a newer version that contains a fix for this vulnerability.